From: Jeff Bone (jbone@jump.net)
Date: Sat Sep 30 2000 - 08:58:52 PDT
Tony Finch wrote:
> I expect people to publish files from their workstation that shouldn't
> be published
Accidentally? Well, okay, but then that's on the individual user. On
purpose? I think preventing that's the role of policy, not software or system
administration.
> because of some accident caused by poor user interfaces,
> ignorance, and various different bits of software that they have
> installed pulling the security/usability balance all over the place.
>
> Sorry, no new bits -- it's been in RISKS many times in the last few months.
>
No new bits here, just some thoughts. The primary driver for the adoption of
HTTP IMO was that it decentralized control of cross-organizational and
interpersonal file sharing, pushed it away from the sysadmin groups. Anyone
could put up a server and administer it without much if any involvement on the
part of the traditional corporate IS control organizations. The reason that
it's become the new transport is that it's the most flexible protocol that's
generally open, at least outbound, past all the roadblocks (firewalls and other
security measures) that sysadmins throw up. The peer-to-peer case is
complicated by the general lack of inbound HTTP across firewalls, but there are
solutions to that.
Looking at all this, it's become abundantly clear to me that the main driver in
the protocol space these days is this sort of "race" between sysadmins, who
want to de facto control access to information resources and believe they know
better how to do that than developers and users, and developers / users who
find clever ways to route around the damage inflicted by overly-strict system
administration policies. Sysadmins and developers alike bitch that "the port
number in a TCP packet isn't static 80" but, ironically, its their own arms
race that makes that the case for all intents and purposes. And the poor users
--- they just want to get to their stuff, share their stuff, etc.
(Interestingly, any time a group which has traditionally been a control (read:
choke) point for information access is taken out of the loop, it always creates
turmoil. Napster, DeCSS, etc. etc. etc.)
A wise man a long time ago at an IETF meeting told me "you shouldn't try to
solve social problems in software." (Note, he's not saying anything about
security, he's just saying that you have to give individuals rather than
organizations the tools needed.)
I believe that.
jb
This archive was generated by hypermail 2b29 : Sat Sep 30 2000 - 09:18:23 PDT